A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

Overview

PE Import Enumerator BOF

What is this?

This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, this will allow an operator to either view a listing of anticipated imported DLL files, or to view the imported functions for an anticipated DLL.

Why?

At present, I was unaware of any existing BOF for Cobalt Strike to do such a thing. As well, these sort of enumerators do exist, however they all rely on similar methods: downloading a given file and examining it on one's own workstation/endpoint/insert your favorite nomenclature here.

This aims to replace such manual activities while remaining ON the target endpoint itself. We can do better, and should!

How is this useful?

Simply, this is an additional datapoint available to an operator in terms of awareness within their target environment(s). This will allow things to occur, such as further analysis with loaded modules within a running application, deducing such things as susceptibility to DLL hijacking, DLL sideloading, DLL proxying, etc. The world is your oyster, now!

What are the options this currently supports

  • Option A:

    • process_imports_api PATH_TO_TARGET_EXECUTABLE e.g. process_imports_api C:\Windows\System32\cmd.exe
  • Option B:

How do I make this operable?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk"
  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

What does the output look like?

Simple Output Specific DLL Import Functions Output

Whom would you like to credit?

Duncan Ogilvie (@mrexodia). This wouldn't have come into fruition nearly as quickly without your existing code to reference. Thank you for abstracting away the pain of the PE file format for me, seriously.

Owner
Somewhere, doing something.
null
Resolve DOS MZ executable symbols at runtime

NtSymbol Resolve DOS MZ executable symbols at runtime Example You no longer have not have to use memory pattern scan inside your sneaky rootkit. Pass

Kento Oki 76 Jun 26, 2022
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 204 Aug 4, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 35 Jun 29, 2022
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

null 117 Aug 1, 2022
DLL Exports Extraction BOF with optional NTFS transactions.

DLL Exports Extraction BOF What is this? This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [

null 32 Jul 23, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 337 Jul 30, 2022
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 35 Jul 1, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
Range library for C++14/17/20, basis for C++20's std::ranges

range-v3 Range library for C++14/17/20. This code was the basis of a formal proposal to add range support to the C++ standard library. That proposal e

Eric Niebler 3.5k Aug 10, 2022
Stuff I've made/found for reversing/modding/extracting NieR:Replicant v1.224...

NieR:Replicant ver.1.22474487139 Tools Archive (.arc) Files Hex Signature: 28 B5 2F FD Can contain one or multiple compressed files. Files are compres

Woeful_Wolf 8 Jul 30, 2022
Extracting clear-text passwords from VeraCrypt.exe using API Hooking

VeraCryptThief VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, ext

snovvcrash 195 Jul 27, 2022
Basis Universal GPU Texture Codec

basis_universal Basis Universal Supercompressed GPU Texture Codec Basis Universal is a "supercompressed" GPU texture data interchange system that supp

null 2.1k Jul 29, 2022
anthemtotheego 342 Jul 23, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 119 Jul 29, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 161 Aug 5, 2022
MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files supporting textures, skeletons, and all provided vertex data.

MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files. A dynamic model is one that is animated or is spawned in during the game.

Montague 33 Aug 4, 2022
Create a working USB CDC class starting from the clear template provided by ST

STM32F3 USB Classes from template The goal of this project is to provide a decent collection of guidelines for creating working USB classes to be used

Michele Perrone 0 Jul 16, 2022